[Resolved] Asymmetric crypto possible with PHP?

Havin_it2

Hope someone can help with this. I've been Googling like mad on it but to no avail. I want to make a PHP/mySQL eCommerce site but it seems there's no support for public-key crypto.

My plan was to use a public key to encrypt data stored on the database, and decrypt via a CMS using the private key. (All this would be done over SSL connection). It's basically a trust issue with the hosting provider, so maybe I'm being over-cautious, but given that it would probably be on a shared server, it seems wiser that way ... if it's possible.

One thought I had was regarding the SSL certificate, which is also public-key: could this be multi-tasked to encrypt user data in the database, like through a script? I don't know too much about certificates (yet) so if anyone knows about this...

Cheers

Weedpacket

PHP uses [man]mcrypt[/man] for its cryptographic library. It provides the standard SSL ciphers (RC2, RC4, 3DES, Rijndael) and hash functions (MD5, SHA1); key exchange isn't really needed for encrypted storage because you're not exchanging keys with anyone.

Havin_it2

I know about mcrypt, but that doesn't cut it in my scenario - all the mcrypt algorithms are, I believe, symmetric, which means...

To encrypt user data when it is entered into the database, I would have to have the key written into the script, which sits on the server and is therefore just as vulnerable as if I put unencrypted data straight into the database.

My idea is that if the script encrypts with a public key, the data is only recoverable by my private key, which I enter through the site's admin pages (on SSL). It's the only way I can think of that stores the data without the server's admin being able to see it.

Problem is, I don't see any way of including that kind of algorithm in PHP. I was just asking if anyone's heard of an existing implementation...

Weedpacket

Oh, I see. No, mcrypt doesn't have asymmetric ciphers yet (those are being considered for a future version).

I guess it would be overkill installing something like Cryptlib for this; but it ought to be possible (once one gets one's hands on a specification) to implement an algorithm of (e.g., RSA-OAEP) in PHP directly.

Um. I just remembered something. [man]OpenSSL[/man] includes handling public/private keypairs. You've got the four functions openssl{public|private}{en|de}crypt() to play with... in fact, just checking them over I see a usernote for [man]openssl_private_decrypt[/man] that starts "Encrypt using public key, decrypt using private key. Use this to store stuff in your database: Unless someone has your private key, the database contents are useless."

Natty_Dreadlock

you're right that mcrypt does not support asymetric crypto, however, u can use the openssl module (http://de.php.net/manual/en/ref.openssl.php) which implements virtually all necessary functions for public/private key encryption and signing - u will need a few days to get into (if u did not work with openssl before, of course) - e.g. u cannot encrypt large chunks of data directly with the public key (u should use the built in function openssl_seal or just encrypt a session key u can then use with the mcrypt functions), but search the net for tutorial (although there are only a few, i think) or ask here again.
Always be careful when working with ciphers, coz most of the time an encryption protocol is not broken because it's usin a weak algorithm but due to wrong usage of the cipher - so good luck with your project and if u encounter further questions, feel free to ask.
hth

Havin_it2

Thanks guys!

I've had OpenSSL as part of a W32 binary from openSA.org for ages but never knew the functions. Unfortunately those nice people who compiled the binary to allow HTTPS testing, neglected to do whatever was necessary for PHP to access the functions. I've tried the openSSL docs but they are full of impenetrable *nix-speak (fair enough, i guess... 🙁 )

Thanks for getting me on the right road anyways, I will do some more googling and move this one over to the INSTALLATION forum.

Cheers!